Not a question. I struggled with working getting the regex syntax correct for a while to blacklist some noisy event code items and wanted to post my successful strings. Just in case someone else searches and finds this useful. blacklist1 = EventCode="4688" Message="New Process Name:\s+(?:[C-F]:\\(?:Program Files\\SplunkUniversalForwarder|Splunk)\\bin\\(?:splunk|splunkd|splunk-optimize|splunk-powershell|splunk-admon|splunk-netmon|splunk-MonitorNoHandle|python3|btool)\.exe) blacklist2 = EventCode="(4663|4660|4907)" Message="Process Name:\s+(?:[C-F]:\\(?:Program Files\\Microsoft Configuration Manager\\bin\\X64|Program Files \W\w{3}\W\\Symantec\\Symantec Endpoint Protection\\\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\.\d{1,5}\\Bin64|Program Files\\SMS_CCM|Windows\\System32|Windows\\System32\\(?:inetsrv|wbem)|.WINDOWS.~BT\\Sources|Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_\w{16,20}\.+\d\.+\d{1,6}\.+\w{22,30})\\(?:smsexec|sitecomp|TiWorker|SetupHost|WmiPrvSE|w3wp|poqexec|CcmExec|ccSvcHst)\.exe) I'm a novice with regex so there might be some ways to clean this up and make it shorter, but it works. If anyone has simplification recommendations, feel free to share.
... View more